The Cybersecurity Canon: There Will Be Cyberwar

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.

Book Review by Canon Committee Member, Jon Oltsik: There Will Be Cyberwar: How The Move To Network-Centric War Fighting Has Set The Stage for Cyberwar (2015)by Richard Stiennon

Executive Summary

Richard Stiennon’s book There Will Be Cyberwar is a short (i.e., 136 pages), concise analysis of the cybersecurity impact of the U.S. military’s adoption of network-centric warfare. The book traces the history of the transition to network-centric warfare, which began in the early 1990s, gained steam throughout the decade, and is now a fundamental piece of U.S. military tactics and strategy overall.

Clearly the transition to network-centric warfare produced some astounding outcomes, such as precision-guided weapons, improved situational awareness through sensors and data collection, and vast advances in military communications as well as command and control. Stiennon argues, however, that these benefits come with a steep cost – as it further depends upon technology, the U.S. military has become extremely vulnerable to crippling cyberattacks that could degrade or even destroy its offensive and defensive capabilities.

To illustrate the extent of these vulnerabilities, the book begins with a fictitious military operation example in the Taiwan Straits, using this episode to illustrate the potential outcome if a military adversary (in this case the People’s Republic of China) was able to compromise U.S. military technologies as part of an attack. Needless to say, the results aren’t pretty.

To supplement his thesis on military technology vulnerabilities, Stiennon weaves in numerous real-world examples of cyberattacks on all types of military, intelligence, and even private sector organizations. These incidents are used to hammer home what’s at stake in terms of financial and operational damages. The book concludes with some brief suggestions on how the Pentagon should address its current cybersecurity weaknesses including bolstering cyber supply chain security, adopting more pervasive use of encryption (and strong key management) and continuously monitoring all network traffic.

There Will Be Cyberwar is not for everyone as it really looks at cybersecurity through the lens of network-centric warfare. As such, I cannot advocate its inclusion in the Cybersecurity Canon. For those cybersecurity professionals interested in military technology, IoT, public policy, and the geo-political landscape, however, this book can serve as a quick, high-level and interesting read.

Review:

The goal of the Cybersecurity Canon is fairly simple and concise: “To identify a list of must-read books for all cybersecurity practitioners – be they from industry, government or academia — where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.” Based upon this objective, There Will Be Cyberwar, by my old friend Richard Stiennon, may not qualify since it is solely focused on cybersecurity implications related to the evolution of network-centric warfare. But while this book may not be for everyone, it is an easy and worthwhile read for those cybersecurity professionals whose interests include government policies, internet of things (IoT) security, intelligence, surveillance and reconnaissance (ISR) platforms, high-tech military equipment, and geo-political issues.

Unlike other cybersecurity tomes, There Will Be Cyberwar grabs the reader’s attention right away in Chapter One where Stiennon describes a fictitious future (2018) U.S. military failure in the Taiwan Straits, presented to the reader as a report to the Senate Armed Services Sub-Committee.

Here, Stiennon borrows heavily from the 1995–1996 Taiwan Straits incidents. When tensions between the People’s Republic of China (PRC) and Taiwan escalated, the U.S. demonstrated its support for Taiwan by deploying several aircraft carrier groups to the region, the largest U.S. military presence in Asia since the end of the Vietnam War. In the mid-1990s, this show of force convinced the PRC that the U.S. would defend Taiwanese sovereignty, if necessary.

Stiennon’s book starts with a similar scenario, a show of American military force in response to escalating tensions between the two Chinas. This is where the similarities end, however, as Stiennon paints a detailed picture that can only be described as Murphy’s cybersecurity law. Just about everything that can go wrong (from a cybersecurity perspective) does go wrong – command-and-control (C2) channels are overwhelmed, nautical, aerial and satellite navigation systems are disrupted, communications systems fail, intelligence systems spew out false-positive/negative indicators, etc. This series of cascading failures produces grave results as well. Airplanes fly off-course and are shot down, weapons systems don’t work, radar systems fail to identify enemy assets, etc. In the end, U.S. forces dependent upon network-centric warfare tactics and equipment are mired in the fog of war and lose all ability to defend themselves. The result? Taiwan reunifies with the PRC in the most embarrassing and devastating military episode since Pearl Harbor.

I should note that Stiennon insists on a strict definition for the term “cyber Pearl Harbor” that is used occasionally by presidents, cabinet members and legislators, as well as intelligence and military personnel. Stiennon considers an attack on the private sector or U.S. critical infrastructure to be a “cyber 9/11,” as opposed to a “cyber Pearl Harbor,” which would be equated with a military defeat like the one the book describes.

This worst-case example presented in Chapter One is used as a jumping off point for Stiennon to focus on his overall message. While the U.S. has proceeded into network-centric warfare with both feet, it has done so without an appropriate commitment to cybersecurity. The rest of the book is dedicated to presenting this thesis.

Stiennon begins to prosecute his case with a brief history of how we got to this point. It starts by comparing the fictitious and real Taiwan Straits incidents and proceeds to describe the origins of network-centric warfare driven by Admiral Archie Clemins in the mid-1990s. The admiral set out to “bring the fleet into the information age” and enable “collaboration at sea.” This included integrating software, connecting systems and ships through TCP/IP networks, and instrumenting military equipment with sensors for information collection. It wasn’t long before the military brass back at the Pentagon learned about the project’s success and were more than willing to procure funding, outfit the entire naval fleet, and extend the concepts of network-centric warfare across the entire U.S. military.

The capabilities of network-centric warfare were most evident with the speed and tactics used in the first Gulf War, where the U.S. military displayed things like enhanced communications, new guided weapons, improved battlefield awareness, and some early offensive cybersecurity tactics to disrupt enemy command and control. After this series of battlefield successes, network-centric warfare was proclaimed as a revolution in military affairs (RMA) and “force transformation” in Washington while garnering a lot of attention from potential adversaries Moscow and Beijing. Stiennon also rightly points out that network-centric warfare progress paralleled a similar revolution in the private sector as innovations like the World Wide Web, Mosaic browser, and e-commerce transformed the internet from an academic/scientific network to a global information superhighway.

At this point in the story, Stiennon alters his role between reporter, critic and soothsayer. As the U.S. military and private sector embraced the internet, its warts were soon exposed. The book provides numerous examples where cyber adversaries intersected with the Pentagon’s embrace of internet communications and network-centric warfare. Some of these include a massive breach of American government, military and private sector computers in 2003 (aka “Titan Rain’), a similar but more pervasive set of incursions starting in 2008 that included theft of design documents for the Lockheed F-22 Raptor and F-35 Lightening (aka “Byzantine Hades”), a compromise of the military’s Secret Internet Protocol Routing Network (aka “SIPRnet”), the capture of military equipment and subsequent reverse engineering of an NSA operating system by the Chinese, and the interception of drone-to-ground communications by Iran. All of these incidents led to confidential data exfiltration and extremely high remediation costs.

Stiennon also educates the reader on the precarious relationship between software development and cybersecurity. When the U.S. Airforce tested millions of lines of software code, it found one software vulnerability for every eight lines of code, one “high vulnerability” for every 31 lines of code, and one “critical vulnerability” for every 70 lines of code. Thus, Stiennon is making readers aware of an obvious relationship: The more lines of software code used in military equipment, the more vulnerable it becomes to cyber exploits. The book also discusses problems with cyber supply chain security. Since many components used in military equipment are originally manufactured in China, it’s possible that many U.S. military assets are fraught with backdoors, easily exploited as tensions escalate.

The book does acknowledge that the U.S. military recognizes today’s threats and vulnerabilities and has taken some proactive steps to address these, such as the establishment of the U.S. Cyber Command. But Stiennon argues that Cybercom is focused on network defense and offensive operations; while, to this day, there is no solitary organized effort to address the potentially millions of vulnerabilities created by the military’s pivot to network-centric warfare.

Stiennon does offer some suggestions for addressing the issues presented in the book, such as an increased focus on encryption services and key management, improved cyber supply chain security, system hardening, operations hardening, continuous network monitoring, and the establishment of a force transformation czar with broad oversight and weapons procurement authority. These suggestions are fairly lightweight but do direct the reader to some general cybersecurity initiatives for further reading.

There Will Be Cyberwar has its share of shortcomings. For starters, the book is brief, at only 136 pages in length, so details are relatively sparse. The edition of the book I read also contained a number of typographical and textual errors which could leave readers somewhat skeptical of its overall quality. Finally, Stiennon dedicated a few chapters to the limitations of risk management and the need to focus on threat management instead. I understand his reasoning, that risk management equates to a “boil the ocean” exercise, while threat management is more focused; but any effort focused on eliminating vulnerabilities across network-centric warfare systems certainly demands a more comprehensive risk management methodology. Additionally, I’ve always thought of threat management as a component of risk management, so Stiennon’s argument was a bit confusing to me. In any case, truly protecting military technologies will require improvements in risk and threat management. I’m sure Richard would agree with this.

As I mentioned previously, There Will Be Cyberwar is not for everyone, as some cybersecurity professionals may not want to dig into the language, history and unique cybersecurity challenges around network-centric warfare technologies. For those interested in this topic, however, the book is a worthwhile, albeit brief, read and starting point for further research into the many issues it presents.